Working to help protect customers from vulnerabilities in Adobe software. Contact us at PSIRT(at)adobe(dot)com.

Archive for October, 2008

Today we released a Security Advisory for PageMaker 7. A corresponding update that resolves two of the three issues acknowledged in the Advisory has also been released. We are continuing to investigate a potential solution for the third issue. In the meantime, we’re advising customers to avoid opening PageMaker files from untrusted or unknown sources.This posting is provided “AS IS” with no warranties and confers no rights.

The big news today is that CS4 has launched, along with Flash Player 10. We have released a Security Bulletin to correspond with the Flash Player 10 release. Flash Player 10 addresses Flash Player-specific aspects of the overall clickjacking issue that has been making news recently, and also includes a mitigation for recent clipboard attacks as well as other security enhancements. For customers who cannot upgrade to Flash Player 10, a Flash Player 9 update is currently scheduled for early November. We’ve also posted a Security Advisory for Flash Professional CS3, informing customers of potential issues with malformed SWF files. Note that Flash CS4, and Flash Player, are not vulnerable to these issues.
We’d like to thank Robert Hansen and Jeremiah Grossman once again for their help, and extend special thanks to Liu Die Yu of TopsecTianRongXin for working with us on the clickjacking issue.

We have just posted a Security Advisory for Flash Player in response to recently published reports of a ‘Clickjacking’ issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. This potential ‘Clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog. A Flash Player update to mitigate the issue will be available before the end of October. In the meantime, users can apply the workaround described in the Advisory.
Thank you again to Robert Hansen and Jeremiah Grossman for their help with this issue. Adobe will continue to work with Jeremiah, Robert, and browser vendors on a comprehensive Clickjacking solution.
This posting is provided “AS IS” with no warranties and confers no rights.